I’m hearing some talk this evening about a new Mac trojan called MacDefender, possibly related to the PC Defender trojan. From what I hear, it is apparently fake anti-virus software, downloaded to “protect” your computer from malicious web sites that claim to have detected a virus on your machine. Once installed, it supposedly tries to convince you to buy the program. What else it might be doing behind the scenes is still unclear, as is how widespread a problem this might become. As soon as I have more information I will add it to my Mac Virus Guide.

I’m hearing a lot of talk today about something called Fast Windows Antivirus, which confusingly is being installed on people’s Macs. How it gets there I’m still not sure of – though it sounds like a lot of people are connecting it to downloading something from Google Images – and whether this is the same thing as MacDefender I’m also unsure of. However, over on the Apple Support Communities, there’s talk from folks who have been scammed into spending $99 on one of these, and a lot of people are looking for ways to remove it. I have no idea yet if it has been added to malware definitions for anti-virus software like ClamXav or Sophos Anti-Virus for Mac Home Edition. My gut says probably not yet, since it’s a weekend. I’m betting we’ll be flooded with news on this on Monday. For now, beware!

This post is more than 30 days old and has been locked. No further comments are allowed.

MacDefender has been noticed by the security companies this morning. Intego reps are posting on Apple Support Communities looking for samples of this trojan, and Intego has posted a blog entry describing what they have discovered. Apparently, this trojan is somehow downloaded after people searching the Google Images database get redirected to a malicious site. How the installer ends up running by itself is unknown, but may point to a security hole in Safari. Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

I have located a copy of the MacDefender trojan (thanks to Linc Davis, who sent me the link) and have done some testing myself. Below is a detailed account of my experiences with it, as a continuing addition to previous news on this issue on my blog. Read the rest of this entry »

Last night, the ClamXav virus definition database was updated to recognize the MacDefender trojan. This is important, because many Mac users do not like the more intrusive anti-virus software from the major vendors. ClamXav is the preferred AV tool for many, and the one I have always recommended, so it’s good to know that it has been updated quickly.

This post is more than 30 days old and has been locked. No further comments are allowed.

For those who have been following news coverage of the new MacDefender trojan, first discovered last weekend, you will know that its primary vector for transmission was apparently Google Images. Unfortunately, poisoning of Google Images’ cache has apparently not changed, and if anything, may have gotten worse. I had previously been unable to locate a copy of MacDefender, even on Google Images. I only got hold of a copy because a reader contacted me privately with information on where to find it. Last night, however, as I was doing some searches on Google Images, I came across MacDefender scam sites no less than 5 times in 15 minutes. Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

A new variant of MacDefender has appeared, called MacSecurity. The name is different, as is the appearance of the fake “anti-virus scan” website. However, in all other respects, it is the same as MacDefender, as far as I can tell.

A number of people are reporting yet another MacDefender variant this morning. This time, it’s named MacProtector, but it sounds like the method of operation is the same. Mac users should be on their guard against an attack of this type, regardless of the name. (If you haven’t been following along, see all my coverage of the MacDefender trojan.)

If anyone can send me a link where MacProtect can be found, so I can verify that it behaves the same as MacDefender, please do!

Edit: Thanks to pieinoz for pointing me to just the right search terms to use on Google Images to find MacProtector. As I suspected, it does appear to be nothing more than a variant of MacDefender. After updating my ClamXav definitions this morning, I found that it will detect both MacSecurity and MacProtector.

A lot of people are being affected by MacDefender, or one of the variants of MacDefender (MacSecurity, MacProtector and MacGuard, at this time, possibly more in the future). As a result, I’m getting a lot of questions from people about how to tell if they’re infected, how to get rid of the trojan and what else they need to worry about. Hopefully, I will answer all those questions and more here. For those unfamiliar with these trojans, see my previous MacDefender news posts. Read the rest of this entry »

There have been reports circulating that MacDefender/MacSecurity/MacProtector may be doing nasty things like scanning the hard drive and sending data home. If this is true, it would be a more serious problem. The behavior that has been documented to date is less dangerous because it is entirely under your control. You choose whether to proceed with the installation, and you choose whether to give a credit card number. Many people have accepted the installation, but balked at the credit card… but that could be a problem if the trojan is doing other things behind the scenes. So, are these rumors true? Here’s what I found. Read the rest of this entry »